By default CodeIgniter is a very secure framework and it also does a lot behind the scenes to help you out. I was recently contracted to look over a CodeIgniter application that was constantly getting hacked. So in light of what I seen I want to share some common pitfalls you need to avoid.
- Use Active Record! You should “almost” never write your queries manually.
- If you must write a query without active record be sure everything is escaped properly. $this->db->escape()
- Validate user input! CI has $this->input->post(), $this->input->get_post() and you should use those.
- Validate file uploads and use the upload library.
- Use the framework tools. It comes with tons of libraries and helpers that are designed to help you with common tasks. There is no reason to write
your own if already accomplishes what you need.
Yes I know every php developer should know about these but some people still just haven’t gotten the memo. So spread the word, write secure apps, and make the world a better place.